Re: How to Restrict a User's Access Using SFTP?

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Eric Shubert
Date:  
To: plug-discuss
Subject: Re: How to Restrict a User's Access Using SFTP?
That should be ok.

Be sure you have your ftp server configured such that they cannot access
folders above/across their home folder. File permissions may handle
this, but probably will not (many things are world readable).

Also, be sure that they cannot login to a command prompt by setting
their login shell to /sbin/nologin (might vary with distro). This is
commonly done for service accounts (apache, etc).

On 12/28/2011 03:38 PM, Mark Phillips wrote:
> Thanks to everyone for their suggestions. Based on some constraints,
> your advice, some googling, I arrived at this set-up, but I am not sure
> how secure it is.
>
> 1. The web creation software (iWeb on a Mac) only supports ftp and sftp
> to upload a site.
> 2. iWeb does not support the use of "versions" for the web pages. By
> that I mean iWeb is strictly one way - create a site and publish it. It
> cannot import an iWeb site, it has to start at the beginning. One can
> create a site and publish it, then edit the site, and publish again, but
> it cannot import or use a previous version of the site as a starting
> point. (I mention this because Eric suggested using git, which sounded
> like a great idea, but alas
>
> I have this setup, but I could use some advice on how to make it more
> secure....
>
> 1. User account fred
> 2. fred's home is /var/www/domain/fred
> 3. /var/www/domain/fred has owner:group fred:fred
> 4. Document root is /var/www/domain/fred
>
> Thanks,
>
> Mark
>
> On Wed, Dec 28, 2011 at 10:26 AM, Eric Shubert <
> <mailto:ejs@shubes.net>> wrote:
>
>     On 12/27/2011 10:46 PM, Mark Phillips wrote:

>
>         I need to give a user access to my web server via sftp to upload web
>         site changes. What is the best way to do this? I have several other
>         sites on the same server, so I want to prevent them or anyone
>         else who
>         gains access to their account from being able to make changes to
>         those
>         sites or other parts of the server.

>
>         Thanks,

>
>         Mark

>
>
>     I use vsftp, which can be configured to allow users access only to
>     their web site's tree. sftp might be able to do the same.

>
>     Then, create their user such that their home directory is their web
>     site's directory, and they cannot log in to the system (only vsftp)
>     with an /etc/passwd entry like this:
>     vsftpuser:x:511:511::/var/__vhosts/domain.com/docs:/sbin/__nologin
>     <http://domain.com/docs:/sbin/nologin>

>
>     Files in their web site are owned by their user, with read
>     permissions for 'other' (o+r), which allows apache (or nginx) to
>     read them.

>
>     --
>     -Eric 'shubes'

>
>
>     ------------------------------__---------------------
>     PLUG-discuss mailing list - .__phoenix.az.us
>     <mailto:PLUG-discuss@lists.plug.phoenix.az.us>
>     To subscribe, unsubscribe, or to change your mail settings:
>     http://lists.PLUG.phoenix.az.__us/mailman/listinfo/plug-__discuss
>     <http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss>

>
>



--
-Eric 'shubes'

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss